**************************************************************************
Security Bulletin 9210 DISA Defense Communications System
March 19, 1992 Published by: DDN Security Coordination Center
(SCC@NIC.DDN.MIL) 1-(800) 365-3642
DEFENSE DATA NETWORK
SECURITY BULLETIN
The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security
Coordination Center) under DISA contract as a means of communicating
information on network and host security exposures, fixes, and concerns
to security and management personnel at DDN facilities. Back issues may
be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5]
using login="anonymous" and password="guest". The bulletin pathname is
scc/ddn-security-yynn (where "yy" is the year the bulletin is issued
and "nn" is a bulletin number, e.g. scc/ddn-security-9210).
**************************************************************************
*** Macintosh INIT 1984 Virus Discovered ***
Virus: INIT 1984
Damage: high
Spread: minimal
Systems affected: Apple Macintosh computers. All types.
A new virus, which has been designated "INIT 1984", has been
discovered on Apple Macintosh computer systems. This virus is designed
to trigger if an infected system is booted on any Friday the 13th in
1991 or later years. Damage from the virus includes changing the names
and attributes of a large number of folders and files to random
strings and the actual deletion of a small percentage (< 2%) of files.
The virus infects only system extensions of type "INIT" (also known as
"startup documents"). It does not infect the System file, desktop
files, control panel files, applications, or document files. Because
INIT files are shared less frequently than are applications, and
because of the structure of the virus code, the INIT 1984 virus does
not spread as rapidly as most other viruses.
As of the date of this announcement (3/19/92), we have only a few
reported sightings of this virus, including one from a site in Europe
and one from a site in the USA. In both cases, the virus caused
significant damage when infected Macintoshes were restarted on Friday,
3/13/92. Because only a few reports of damage were received, we have
reason to believe that the virus is not widespread. However, it is
conceivable that this virus might have affected Macintosh systems on
Friday 9/13/91 or Friday 12/13/91 without being recognized as the
cause of the damage. If you think you may have been a victim of this
virus in 1991, please contact me via e-mail at spaf@cs.purdue.edu.
The current versions of Gatekeeper and SAM Intercept (in advanced and
custom mode) are effective against this virus. Either program should
generate an alert if the virus is present and attempts to spread to
other files.
The virus affects all types of Macintosh computers. It spreads and
attacks under both System 6 and System 7. On very old Macintoshes
(those with the 64K ROMs), the virus will cause crashes at boot time.
Authors of all major Macintosh anti-virus tools are planning updates
to their tools to locate and/or eliminate this virus. Some of these
are listed below. We recommend that you obtain and run an updated
version of at least one of these programs.
Some specific information on updated Mac anti-virus products follows:
Tool: Disinfectant
Status: Free software (courtesy of Northwestern University and
John Norstad)
Revision to be released: 2.7
Where to find: usual archive sites and bulletin boards --
ftp.acns.nwu.edu, sumex-aim.stanford.edu,
rascal.ics.utexas.edu, AppleLink, America Online,
CompuServe, Genie, Calvacom, MacNet, Delphi,
comp.binaries.mac
When available: (expected) 3/18/92
Tool: Gatekeeper
Status: Free software (courtesy of Chris Johnson)
Revision to be released: 1.2.5
Where to find: usual archive sites and bulletin boards --
microlib.cc.utexas.edu, sumex-aim.stanford.edu,
rascal.ics.utexas.edu, comp.binaries.mac
When available: (expected) 3/20/92
Tool: Rival
Status: Commercial software
Revision to be released: INIT 1984 Vaccine
Where to find it: AppleLink, America Online, Internet, Compuserve.
When available: Immediately.
Tool: SAM (Virus Clinic and Intercept)
Status: Commercial software
Revision to be released: 3.0.7
Where to find: CompuServe, America Online, Applelink, Symantec's
Bulletin Board @ 408-973-9598
When available: Immediately. Version 3.0.7 of the Virus
Definitions file are also availble.
Tool: Virex INIT
Status: Commercial software
Revision to be released: 3.7
Where to find: Microcom, Inc (919) 490-1277
When available: Immediately.
Comments:
Virex 3.7 will detect and repair the virus. All
Virex subscribers will automatically be sent an update on
diskette. All other registered users will receive a notice with
information to update prior versions to be able to detect
INIT-1984. This information is also available on Microcom's BBS.
(919)419-1602, and is given below.
Virus Name: INIT 1984 Guide Number: 5275840
Virus Code: 0049 4E49 5410 07C0 96
3008 1490 7710 002F 2C
3C49 4E49 5400 0300 1E
4AA9 AB55 4F81 8090 9A
Tool: Virus Detective
Status: Shareware
Revision to be released: 5.0.3
Where to find: Usual bulletin boards will announce a new search string.
Registered users will also get a mailing
with the new search string.
When available: Immediately.
Comments: search string is
Resource INIT & Size<4500 & WData 494E#EA994*4954#8A9AB ; For finding INIT1984
The SCC wishes to acknowledge Mr. Gene Spafford of Purdue University
as the author of this document.
****************************************************************************
* *
* The point of contact for MILNET security-related incidents is the *
* Security Coordination Center (SCC). *
* *
* E-mail address: SCC@NIC.DDN.MIL *
* *
* Telephone: 1-(800)-365-3642 *
* *
* NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, *
* Monday through Friday except on federal holidays. *
* *
****************************************************************************